Stricter directory control for ipa daemons, each one it's own directory

ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc

@@ -1 +1,9 @@
+#
+# /usr
+#
 /usr/sbin/ipa_kpasswd		--	gen_context(system_u:object_r:ipa_kpasswd_exec_t,s0)
+
+#
+# /var
+#
+/var/cache/ipa/kpasswd(/.*)?  gen_context(system_u:object_r:ipa_kpasswd_ccache_t,s0)

ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te

@@ -8,6 +8,7 @@ policy_module(ipa_kpasswd, 1.0)
 type ipa_kpasswd_t;
 type ipa_kpasswd_exec_t;
 type ipa_kpasswd_var_run_t;
+type ipa_kpasswd_ccache_t;
 init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t)
 
 ########################################
@@ -38,6 +39,12 @@ kerberos_use(ipa_kpasswd_t)
 
 kernel_read_system_state(ipa_kpasswd_t)
 
+# /var/cache/ipa/kpasswd
+files_type(ipa_kpasswd_ccache_t)
+manage_dirs_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t)
+manage_files_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t)
+files_var_filetrans(ipa_kpasswd_t, ipa_kpasswd_ccache_t,dir)
+
 corenet_tcp_sendrecv_all_if(ipa_kpasswd_t)
 corenet_udp_sendrecv_all_if(ipa_kpasswd_t)
 corenet_raw_sendrecv_all_if(ipa_kpasswd_t)

ipa-server/selinux/ipa_webgui/ipa_webgui.fc

@@ -8,4 +8,4 @@
 # /var
 #
 /var/log/ipa_error\.log		--	gen_context(system_u:object_r:ipa_webgui_log_t,s0)
-/var/cache/ipa(/.*)?  gen_context(system_u:object_r:ipa_cache_t,s0)
+/var/cache/ipa/sessions(/.*)?  gen_context(system_u:object_r:ipa_cache_t,s0)